Hi Everyone,
Got possibly a classic crypto map problem here, running through the R&S V5 Workbook using VIRL, doing the lab on the Crypto maps, looks like the ipsec sa comes up, but I only encaps/decaps one way (when sending ping from R10 to 9):
R8#sh crypto ipsec sa
interface: GigabitEthernet0/1.58
Crypto map tag: R7_TO_R8, local addr 150.1.8.8
protected vrf: (none)
local ident (addr/mask/prot/port): (150.1.10.10/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (150.1.9.9/255.255.255.255/0/0)
current_peer 150.1.7.7 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
I'm trying to ping back from the other end, R9, R7 doesn't even start Phase 1, and looking at the ACL it looks like the traffic isn't hitting it, even though it's applied via the crypto map, and the crypto map is applied to the outbound interface:
R7#sh crypto map
Interfaces using crypto map NiStTeSt1:
Crypto Map: "R7_TO_R8" idb: Loopback0 local address: 150.1.7.7
Crypto Map IPv4 "R7_TO_R8" 10 ipsec-isakmp
Peer = 150.1.8.8
Extended IP access list R7_TO_R8_ACL
access-list R7_TO_R8_ACL permit ip host 150.1.9.9 host 150.1.10.10
access-list R7_TO_R8_ACL permit ip host 150.1.9.9 155.1.10.0 0.0.0.255
access-list R7_TO_R8_ACL permit ip 155.1.9.0 0.0.0.255 host 150.1.10.10
access-list R7_TO_R8_ACL permit ip 155.1.9.0 0.0.0.255 155.1.10.0 0.0.0.255
Current peer: 150.1.8.8
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
ESP_AES192_SHA384: { esp-192-aes esp-sha384-hmac } ,
}
Interfaces using crypto map R7_TO_R8:
GigabitEthernet0/1.37
R7#sh acc
R7#sh access-li
R7#sh access-lists
Extended IP access list R7_TO_R8_ACL
10 permit ip host 150.1.9.9 host 150.1.10.10
20 permit ip host 150.1.9.9 155.1.10.0 0.0.0.255
30 permit ip 155.1.9.0 0.0.0.255 host 150.1.10.10
40 permit ip 155.1.9.0 0.0.0.255 155.1.10.0 0.0.0.255
I've confirmed the routing between the VPN endpoints (R7 & 8), tried deleteing the crypto maps off the interface and putting them back on, finally did a reload. I'm always thinking my mistakes are bug in VIRL, but this looks really starnge. I've spent around 3 nights looking at it, think I need a second pair of eyes!
Here is the crypto map & ACL from the other side for reference:
R8#sh crypto map
Interfaces using crypto map NiStTeSt1:
Crypto Map: "R7_TO_R8" idb: Loopback0 local address: 150.1.8.8
Crypto Map IPv4 "R7_TO_R8" 10 ipsec-isakmp
Peer = 150.1.7.7
Extended IP access list R7_TO_R8_ACL
access-list R7_TO_R8_ACL permit ip host 150.1.10.10 host 150.1.9.9
access-list R7_TO_R8_ACL permit ip host 150.1.10.10 155.1.9.0 0.0.0.255
access-list R7_TO_R8_ACL permit ip 155.1.10.0 0.0.0.255 host 150.1.9.9
access-list R7_TO_R8_ACL permit ip 155.1.10.0 0.0.0.255 155.1.9.0 0.0.0.255
Current peer: 150.1.7.7
Security association lifetime: 4608000 kilobytes/3600 seconds
Responder-Only (Y/N): N
PFS (Y/N): N
Mixed-mode : Disabled
Transform sets={
ESP_AES192_SHA384: { esp-192-aes esp-sha384-hmac } ,
}
Interfaces using crypto map R7_TO_R8:
GigabitEthernet0/1.58
R8# sh acc
R8# sh access-li
R8# sh access-lists
Extended IP access list R7_TO_R8_ACL
10 permit ip host 150.1.10.10 host 150.1.9.9 (83 matches)
20 permit ip host 150.1.10.10 155.1.9.0 0.0.0.255
30 permit ip 155.1.10.0 0.0.0.255 host 150.1.9.9
40 permit ip 155.1.10.0 0.0.0.255 155.1.9.0 0.0.0.255
R8#
Comments
any chance u could give us some crypto isakmp debugs from both sides - let's see what ur phase 1 protocols are doing?
Yeah sure, isakmp from R7 when responding to R8 phase 1 is below, one thig to note,if i try to establish phase 1 from R7 to R8 isakmp doesn't even start:
R7:
ISAKMP (0): received packet from 150.1.8.8 dport 500 sport 500 Global (N) NEW SA
ISAKMP: Created a peer struct for 150.1.8.8, peer port 500
ISAKMP: New peer created peer = 0xE8D6D58 peer_handle = 0x80000003
ISAKMP: Locking peer struct 0xE8D6D58, refcount 1 for crypto_isakmp_process_block
ISAKMP: local port 500, remote port 500
ISAKMP:(0):insert sa successfully sa = AB80078
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_READY New State = IKE_R_MM1
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):found peer pre-shared key matching 150.1.8.8
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: hash SHA512
ISAKMP: default group 24
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0):Acceptable atts:actual life: 86400
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 245 mismatch
ISAKMP (0): vendor ID is NAT-T v7
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 157 mismatch
ISAKMP:(0): vendor ID is NAT-T v3
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
ISAKMP:(0): vendor ID is NAT-T v2
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM1
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): sending packet to 150.1.8.8 my_port 500 peer_port 500 (R) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_R_MM1 New State = IKE_R_MM2
ISAKMP (0): received packet from 150.1.8.8 dport 500 sport 500 Global (R) MM_SA_SETUP
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_R_MM2 New State = IKE_R_MM3
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching 150.1.8.8
ISAKMP:(1002): processing vendor id payload
ISAKMP:(1002): vendor ID is DPD
ISAKMP:(1002): processing vendor id payload
ISAKMP:(1002): speaking to another IOS box!
ISAKMP:(1002): processing vendor id payload
ISAKMP:(1002): vendor ID seems Unity/DPD but major 226 mismatch
ISAKMP:(1002): vendor ID is XAUTH
ISAKMP:received payload type 20
ISAKMP (1002): His hash no match - this node outside NAT
ISAKMP:received payload type 20
ISAKMP (1002): No NAT Found for self or peer
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM3
ISAKMP:(1002): sending packet to 150.1.8.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP:(1002):Sending an IKE IPv4 Packet.
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1002):Old State = IKE_R_MM3 New State = IKE_R_MM4
ISAKMP (1002): received packet from 150.1.8.8 dport 500 sport 500 Global (R) MM_KEY_EXCH
ISAKMP:(1002):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(1002):Old State = IKE_R_MM4 New State = IKE_R_MM5
ISAKMP:(1002): processing ID payload. message ID = 0
ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 150.1.8.8
protocol : 17
port : 500
length : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(1002): processing HASH payload. message ID = 0
ISAKMP:(1002): processing NOTIFY INITIAL_CONTACT protocol 1
spi 0, message ID = 0, sa = 0xAB80078
ISAKMP:(1002):SA authentication status:
authenticated
ISAKMP:(1002):SA has been authenticated with 150.1.8.8
ISAKMP:(1002):SA authentication status:
authenticated
ISAKMP:(1002): Process initial contact,
bring down existing phase 1 and 2 SA's with local 150.1.7.7 remote 150.1.8.8 remote port 500
ISAKMP: Trying to insert a peer 150.1.7.7/150.1.8.8/500/, and inserted successfully E8D6D58.
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_R_MM5
ISAKMP:(1002):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (1002): ID payload
next-payload : 8
type : 1
address : 150.1.7.7
protocol : 17
port : 500
length : 12
ISAKMP:(1002):Total payload length: 12
ISAKMP:(1002): sending packet to 150.1.8.8 my_port 500 peer_port 500 (R) MM_KEY_EXCH
ISAKMP:(1002):Sending an IKE IPv4 Packet.
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1002):Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE
ISAKMP:(1002):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1002):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (1002): received packet from 150.1.8.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP: set new node 912673883 to QM_IDLE
ISAKMP:(1002): processing HASH payload. message ID = 912673883
ISAKMP:(1002): processing SA payload. message ID = 912673883
ISAKMP:(1002):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA384
ISAKMP: key length is 192
ISAKMP:(1002):atts are acceptable.
ISAKMP:(1002): processing NONCE payload. message ID = 912673883
ISAKMP:(1002): processing ID payload. message ID = 912673883
ISAKMP:(1002): processing ID payload. message ID = 912673883
ISAKMP:(1002):QM Responder gets spi
ISAKMP:(1002):Node 912673883, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1002):Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE
ISAKMP:(1002):Node 912673883, Input = IKE_MESG_INTERNAL, IKE_GOT_SPI
ISAKMP:(1002):Old State = IKE_QM_SPI_STARVE New State = IKE_QM_IPSEC_INSTALL_AWAIT
ISAKMP: Failed to find peer index node to update peer_info_list
ISAKMP:(1002):Received IPSec Install callback... proceeding with the negotiation
ISAKMP:(1002):Successfully installed IPSEC SA (SPI:0xC876977A) on GigabitEthernet0/1.37
ISAKMP:(1002): sending packet to 150.1.8.8 my_port 500 peer_port 500 (R) QM_IDLE
ISAKMP:(1002):Sending an IKE IPv4 Packet.
ISAKMP:(1002):Node 912673883, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
ISAKMP:(1002):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_R_QM2
ISAKMP (1002): received packet from 150.1.8.8 dport 500 sport 500 Global (R) QM_IDLE
ISAKMP:(1002):deleting node 912673883 error FALSE reason "QM done (await)"
ISAKMP:(1002):Node 912673883, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1002):Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETE
R7#
R8 (initiator) :
ISAKMP:(0): SA request profile is (NULL)
ISAKMP: Created a peer struct for 150.1.7.7, peer port 500
ISAKMP: New peer created peer = 0xE95DCA8 peer_handle = 0x80000009
ISAKMP: Locking peer struct 0xE95DCA8, refcount 1 for isakmp_initiator
ISAKMP: local port 500, remote port 500
ISAKMP: set new node 0 to QM_IDLE
ISAKMP:(0):insert sa successfully sa = B7939F8
ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
ISAKMP:(0):found peer pre-shared key matching 150.1.7.7
ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
ISAKMP:(0): constructed NAT-T vendor-07 ID
ISAKMP:(0): constructed NAT-T vendor-03 ID
ISAKMP:(0): constructed NAT-T vendor-02 ID
ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1
ISAKMP:(0): beginning Main Mode exchange
ISAKMP:(0): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) MM_NO_STATE
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP (0): received packet from 150.1.7.7 dport 500 sport 500 Global (I) MM_NO_STATE
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM1 New State = IKE_I_MM2
ISAKMP:(0): processing SA payload. message ID = 0
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0):found peer pre-shared key matching 150.1.7.7
ISAKMP:(0): local preshared key found
ISAKMP : Scanning profiles for xauth ...
ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption AES-CBC
ISAKMP: keylength of 256
ISAKMP: hash SHA512
ISAKMP: default group 24
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP:(0):atts are acceptable. Next payload is 0
ISAKMP:(0):Acceptable atts:actual life: 0
ISAKMP:(0):Acceptable atts:life: 0
ISAKMP:(0):Fill atts in sa vpi_length:4
ISAKMP:(0):Fill atts in sa life_in_seconds:86400
ISAKMP:(0):Returning Actual lifetime: 86400
ISAKMP:(0)::Started lifetime timer: 86400.
ISAKMP:(0): processing vendor id payload
ISAKMP:(0): vendor ID seems Unity/DPD but major 69 mismatch
ISAKMP (0): vendor ID is NAT-T RFC 3947
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM2
ISAKMP:(0): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) MM_SA_SETUP
ISAKMP:(0):Sending an IKE IPv4 Packet.
ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(0):Old State = IKE_I_MM2 New State = IKE_I_MM3
ISAKMP (0): received packet from 150.1.7.7 dport 500 sport 500 Global (I) MM_SA_SETUP
ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(0):Old State = IKE_I_MM3 New State = IKE_I_MM4
ISAKMP:(0): processing KE payload. message ID = 0
ISAKMP:(0): processing NONCE payload. message ID = 0
ISAKMP:(0):found peer pre-shared key matching 150.1.7.7
ISAKMP:(1004): processing vendor id payload
ISAKMP:(1004): vendor ID is Unity
ISAKMP:(1004): processing vendor id payload
ISAKMP:(1004): vendor ID is DPD
ISAKMP:(1004): processing vendor id payload
ISAKMP:(1004): speaking to another IOS box!
ISAKMP:received payload type 20
ISAKMP (1004): His hash no match - this node outside NAT
ISAKMP:received payload type 20
ISAKMP (1004): No NAT Found for self or peer
ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM4
ISAKMP:(1004):Send initial contact
ISAKMP:(1004):SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
ISAKMP (1004): ID payload
next-payload : 8
type : 1
address : 150.1.8.8
protocol : 17
port : 500
length : 12
ISAKMP:(1004):Total payload length: 12
ISAKMP:(1004): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) MM_KEY_EXCH
ISAKMP:(1004):Sending an IKE IPv4 Packet.
ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1004):Old State = IKE_I_MM4 New State = IKE_I_MM5
ISAKMP (1004): received packet from 150.1.7.7 dport 500 sport 500 Global (I) MM_KEY_EXCH
ISAKMP:(1004): processing ID payload. message ID = 0
ISAKMP (1004): ID payload
next-payload : 8
type : 1
address : 150.1.7.7
protocol : 17
port : 500
length : 12
ISAKMP:(0):: peer matches *none* of the profiles
ISAKMP:(1004): processing HASH payload. message ID = 0
ISAKMP:(1004):SA authentication status:
authenticated
ISAKMP:(1004):SA has been authenticated with 150.1.7.7
ISAKMP: Trying to insert a peer 150.1.8.8/150.1.7.7/500/, and inserted successfully E95DCA8.
ISAKMP:(1004):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH
ISAKMP:(1004):Old State = IKE_I_MM5 New State = IKE_I_MM6
ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE
ISAKMP:(1004):Old State = IKE_I_MM6 New State = IKE_I_MM6
ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE
ISAKMP:(1004):Old State = IKE_I_MM6 New State = IKE_P1_COMPLETE
ISAKMP:(1004):beginning Quick Mode exchange, M-ID of 912673883
ISAKMP:(1004):QM Initiator gets spi
ISAKMP:(1004): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1004):Sending an IKE IPv4 Packet.
ISAKMP:(1004):Node 912673883, Input = IKE_MESG_INTERNAL, IKE_INIT_QM
ISAKMP:(1004):Old State = IKE_QM_READY New State = IKE_QM_I_QM1
ISAKMP:(1004):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE
ISAKMP:(1004):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
ISAKMP (1004): received packet from 150.1.7.7 dport 500 sport 500 Global (I) QM_IDLE
ISAKMP:(1004): processing HASH payload. message ID = 912673883
ISAKMP:(1004): processing SA payload. message ID = 912673883
ISAKMP:(1004):Checking IPSec proposal 1
ISAKMP: transform 1, ESP_AES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1 (Tunnel)
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 3600
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-SHA384
ISAKMP: key length is 192
ISAKMP:(1004):atts are acceptable.
IPSEC(validate_proposal_request): proposal part #1
IPSEC(validate_proposal_request): proposal part #1,
(key eng. msg.) INBOUND local= 150.1.8.8:0, remote= 150.1.7.7:0,
local_proxy= 150.1.10.10/255.255.255.255/256/0,
remote_proxy= 150.1.9.9/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes 192 esp-sha384-hmac (Tunnel),
lifedur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 192, flags= 0x0
Crypto mapdb : proxy_match
src addr : 150.1.10.10
dst addr : 150.1.9.9
protocol : 0
src port : 0
dst port : 0
(ipsec_process_proposal)Map Accepted: R7_TO_R8, 10
ISAKMP:(1004): processing NONCE payload. message ID = 912673883
ISAKMP:(1004): processing ID payload. message ID = 912673883
ISAKMP:(1004): processing ID payload. message ID = 912673883
ISAKMP:(1004):Node 912673883, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH
ISAKMP:(1004):Old State = IKE_QM_I_QM1 New State = IKE_QM_IPSEC_INSTALL_AWAIT
IPSEC(key_engine): got a queue event with 1 KMI message(s)
Crypto mapdb : proxy_match
src addr : 150.1.10.10
dst addr : 150.1.9.9
protocol : 256
src port : 0
dst port : 0
IPSEC(crypto_ipsec_create_ipsec_sas): Map found R7_TO_R8, 10
IPSEC(create_sa): sa created,
(sa) sa_dest= 150.1.8.8, sa_proto= 50,
sa_spi= 0xE23824B8(3795330232),
sa_trans= esp-aes 192 esp-sha384-hmac , sa_conn_id= 9
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 150.1.8.8:0, remote= 150.1.7.7:0,
local_proxy= 150.1.10.10/255.255.255.255/256/0,
remote_proxy= 150.1.9.9/255.255.255.255/256/0
IPSEC(create_sa): sa created,
(sa) sa_dest= 150.1.7.7, sa_proto= 50,
sa_spi= 0xC876977A(3363215226),
sa_trans= esp-aes 192 esp-sha384-hmac , sa_conn_id= 10
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 150.1.8.8:0, remote= 150.1.7.7:0,
local_proxy= 150.1.10.10/255.255.255.255/256/0,
remote_proxy= 150.1.9.9/255.255.255.255/256/0
IPSEC: Expand action denied, notify RP
ISAKMP: Failed to find peer index node to update peer_info_list
ISAKMP:(1004):Received IPSec Install callback... proceeding with the negotiation
ISAKMP:(1004):Successfully installed IPSEC SA (SPI:0xE23824B8) on GigabitEthernet0/1.58
ISAKMP:(1004): sending packet to 150.1.7.7 my_port 500 peer_port 500 (I) QM_IDLE
ISAKMP:(1004):Sending an IKE IPv4 Packet.
ISAKMP:(1004):deleting node 912673883 error FALSE reason "No Error"
ISAKMP:(1004):Node 912673883, Input = IKE_MESG_FROM_IPSEC, IPSEC_INSTALL_DONE
ISAKMP:(1004):Old State = IKE_QM_IPSEC_INSTALL_AWAIT New State = IKE_QM_PHASE2_COMPLETE
ISAKMP:(1004):purging node 912673883
hmm...I JUST got thru some of this stuff - but I THINK you're negotiating a tunnel each way with IPSEC - and maybe ISAKMP too - and it sure seems like R7 doesn't want to set up with R8 even if R8 sets up with R7 - if it was IOU I'd say dump that stuff and get CSR1000v or GNS3 regular routers -
could be a VIRL config issue. - I'd really like to see what the R7 to R8 debug when R7 tries to initiate since it seems to be R7 to R8 setup that's killing u, not R8 to R7
RB
do me a favor - post ur R7 and R8 configs too- I know this is the crypto map lab, right? The first one? Let me put it up in ye ol' CSR1000v and see what happens
RB
Ended up giving up and moving onto the next labs - VTI and GRE is much easier than the crypto maps!
I've got the following config from my notepad, I'm pretty sure this is what I ended up with, this would be pasted onto the plain IPSEC VPN config:
R7
conf t
ip route 0.0.0.0 0.0.0.0 155.1.67.6
ip route 0.0.0.0 0.0.0.0 155.1.37.3
router ospf 1
default-information originate
int g0/1.79
ip ospf 1 area 0
exit
ip access-list extended R7_TO_R8_ACL
permit ip host 150.1.9.9 host 150.1.10.10
permit ip host 150.1.9.9 155.1.10.0 0.0.0.255
permit ip 155.1.9.0 0.0.0.255 host 150.1.10.10
permit ip 155.1.9.0 0.0.0.255 155.1.10.0 0.0.0.255
crypto ipsec transform-set ESP_AES192_SHA384 esp-aes 192 esp-sha384-hmac
mode tunnel
exit
crypto isakmp key CISCO address 150.1.8.8
crypto isakmp policy 10
authentication pre-share
encr aes 256
hash sha512
group 24
exit
crypto map R7_TO_R8 10 ipsec-isakmp
match address R7_TO_R8_ACL
set peer 150.1.8.8
set transform-set ESP_AES192_SHA384
exit
crypto map R7_TO_R8 local-address l0
int g0/1.37
crypto map R7_TO_R8
int g0/1.67
crypto map R7_TO_R8
end
R8
conf t
ip route 0.0.0.0 0.0.0.0 155.1.58.5
router ospf 1
default-information originate
exit
ip access-list extended R7_TO_R8_ACL
permit ip host 150.1.10.10 host 150.1.9.9
permit ip host 150.1.10.10 155.1.9.0 0.0.0.255
permit ip 155.1.10.0 0.0.0.255 host 150.1.9.9
permit ip 155.1.10.0 0.0.0.255 155.1.9.0 0.0.0.255
crypto ipsec transform-set ESP_AES192_SHA384 esp-aes 192 esp-sha384-hmac
mode tunnel
exit
crypto isakmp key CISCO address 150.1.7.7
crypto isakmp policy 10
authentication pre-share
encr aes 256
hash sha512
group 24
exit
crypto map R7_TO_R8 10 ipsec-isakmp
match address R7_TO_R8_ACL
set peer 150.1.7.7
set transform-set ESP_AES192_SHA384
exit
crypto map R7_TO_R8 local-address l0
int g0/1.58
crypto map R7_TO_R8
end
R9
conf t
router ospf 1
exit
int g0/1.79
ip ospf 1 area 0
int g0/1.9
ip ospf 1 area 0
int l0
ip ospf 1 area 0
end
R10
conf t
router ospf 1
int g0/1.108
ip ospf 1 area 0
int g0/1.10
ip ospf 1 area 0
int l0
ip ospf 1 area 0
exit
With the debugs going from R7 to R8 (traffic orginating on router 9) the isakmp process wouldn't even start, I'd confirmed routing, just orginating the default route out to R9, confirm that was working via sh ip cef etc.
When using the VTI and GRE over IPsec everything works fine on VIRL, I would a bug or order of operations issues but tried reloading the router, stripping off the crypto map and reapplying to the interface etc., and the one way thing says to me it's my config.
Thanks!
thought I saw the problem in ur config but pasted it into my lab just to be safe
You were missing the ip ospf 1 area 0 on the R8 link to R10 (g0/1.108 - or gi 1.108 in my lab) - so you didn't have ospf connectivity between R8 and R10 - once I added that command I was home free
R10#ping 150.1.9.9 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.9.9, timeout is 2 seconds:
Packet sent with a source address of 150.1.10.10
.....
Success rate is 0 percent (0/5)
R10#
%OSPF-5-ADJCHG: Process 1, Nbr 150.1.8.8 on GigabitEthernet1.108 from LOADING to FULL, Loading Done
R10#ping 150.1.9.9 so l0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 150.1.9.9, timeout is 2 seconds:
Packet sent with a source address of 150.1.10.10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/16/31 ms
and I saw the same thing u did - isakmp tunnels on R7 but not R8 because the traffic generated on R10 never had a route out of R10 to trigger it on R8
If phase1 and phase2 come up, and you have no filters, it means you have a routing problem on the router which is not encrypting traffiic, as routing does not put packets inside the IPsec tunnel.
Nices one - thanks guys!
I did look at the routing as per Cristians commencts, but i suspect I was fixated on the 7 to 9 traffic when the issues was around the 10 to 8 routing. I'll have to look at both sides next time if I get this again.